Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Security hole in kppp
From: wuebben () MATH CORNELL EDU (Bernd Johannes Wuebben)
Date: Wed, 29 Apr 1998 15:19:40 -0400

This bug has been fixed a while ago. Users of kppp in a
security sensitive environment should upgrade to kppp-1.1.3.

Furthermore, I urge users of kppp in a security sensitive
environment to not run kppp SETUID root, but rather to
create a modem group.

kppp-1.1.3 is available in the kdenetwork package in the
snapshots directory on ftp.kde.org and its mirrors.

Best Regards,
Bernd Wuebben

I found an xploitable bug in my kppp application that comes with KDE
Local user can execute malicious code to obtain root access/shell.

gollum:~$ cd /usr/local/kde/bin
gollum:/usr/local/kde/bin$ ls -la kppp
-rwsr-xr-x   1 root     root       262516 Mar 15 01:17 kppp*
( ^- suid!)

gollum:/usr/local/kde/bin$ kppp -h
kppp -- valid command line options:
-h describe command line options
-c account_name : connect to account account_name
-q : quit after end of connection
-r rule_file: check syntax of rule_file

I discover that -c option is buggy and root xploitable buffer overflow.

Bernd Johannes Wuebben                          wuebben () kde org
wuebben () math cornell edu                        wuebben () acm org

  By Date           By Thread  

Current thread:
  • Security hole in kppp |[TDP]| (Apr 29)
    • <Possible follow-ups>
    • Re: Security hole in kppp Bernd Johannes Wuebben (Apr 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]